Secure roaming between wireless access points

ABSTRACT

A system, method, and computer readable medium for enabling roaming of wireless client stations among wireless access points are disclosed. A gateway programmed to receive session data requests is provided in a network, which comprises access points which are programmed to send session data requests to the gateway. The gateway sends session information setting commands to the requesting access point, or sends a session data failure response to the access point.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the benefit, under 35 U.S.C. §365 ofInternational Application PCT/US04/02491, filed Jan. 29, 2004, which waspublished in accordance with PCT Article 21(2) on Nov. 4, 2004 inEnglish and which claims the benefit of U.S. provisional patentapplication No. 60/458,189, filed Mar. 27, 2003.

TECHNICAL FIELD

This invention relates to wireless local area networks, and particularlyto methods and systems that facilitate roaming between wireless accesspoints on a wireless access network.

BACKGROUND OF THE INVENTION

IEEE 802.11-based wireless local area networks (WLANs) have become thefocus of much research and development in recent years. WLANs offersimple, convenient to use, high throughput ways in which portablecomputer users can break away from the tethers of the wired world andmove around freely with comparable network throughput. However, when auser moves from one access point to another, there is a need to provideseamless roaming. Present technology does not adequately meet thisrequirement.

In most of the current deployment, IEEE 802.11 uses static WiredEquivalent Privacy (WEP) keys and does not support per user sessionkeys, thus, the wireless stations, usually clients, and all accesspoints participating in roaming can have the same static WEP key.However, the security problem with static WEP keys has been highlypublicized. Further, static WEP key protocols do not solve thedistribution of authorization information to a large number of accesspoints. To solve this problem, the IEEE 802.11 standard is trying todevelop an Inter Access Point Protocol (IAPP).

The IEEE 802.1x standard addresses the security problem in IEEE 802.11by using port controlled access control. In a large 802.1x installation,a backend authentication server authenticates the user. In order tosecure the wireless link, the wireless station must go through anauthentication process involving the station, the access point and theauthentication server. If authentication is successful, a session key isagreed upon between the wireless station and the access point. Thissolution enables roaming, but with high overhead, i.e., each time astation is associated with a different access point, for example becauseof signal fluctuation, the whole authentication process has to becarried through. This is highly undesirable, especially when theauthentication server is far away from the wireless LAN, e.g., in aninter-working environment where the WLAN is in, for example, JFK airportbut the authentication server belongs to, for example, SBC inCalifornia.

There is a need to provide seamless roaming when a wireless user(client) wishes to switch to an access point with better signalstrength.

There is also a need to move per-user session keys and authorizationinformation from one access point to another when a client roams betweenwireless access points.

SUMMARY OF THE INVENTION

These needs and others, which will become apparent from the followingdisclosure are met by the present invention which comprises in oneaspect a wireless local area network comprising gateway to controlmultiple access points. The access points reside in a wired or othertype of network. The gateway is programmed to receive session datarequests from access points, look up session data, and send session databack to the requesting access points. The access points are programmedto send requests for session data to the gateway and to receive andprocess session information setting commands from the gateway.

The system comprising such a gateway moves the “intelligence” of thewireless network into such gateway and results in very simple accesspoints, which enables easier control and more economical installationfor large deployments.

In another aspect, the invention comprises a method of, and computerreadable medium for, enabling roaming of wireless clients among wirelessaccess points in a network comprising providing a gateway in thenetwork, sending session data requests from access points to thegateway, looking up session data stored in the gateway, reportingsession data failure if session data is not found, and sending a sessiondata response from the gateway to the access points if session data isfound or is generated by the gateway.

The present invention can compliment the IEEE 802.1x protocol andgreatly reduce the complexity of the protocol.

The basic architecture of the system of the invention is illustrated inFIG. 1 wherein a gateway is used to control a number of access pointswith simple functions. The access points can be directly connected tothe gateway or can be connected to the gateway through a network.Besides the normal IEEE 802.11 physical layer and MAC layer functions,these access points need only to support the following additionalfunctions:

Per station session key;

An interface to accept session information (e.g. session key andauthorization information) setting commands from the gateway; and

The capability to query the gateway about session information andtransfer session information from the gateway.

Among these things, the first function is already widely available onmany access points on the market presently. The other two functions arenovel.

The invention also provides methods to deal with session information onthe access point the wireless station (client) previously associatedwith, after the client roams to a different access point. In a firstmethod, the gateway informs the previous access point to remove theinformation. In a second method, the access point sets up a timer toremove all idle wireless station entries after a certain time period ofinactivity. The second method is preferred because the gateway does nothave to send an extra command to remove the entry and the AP maymaintain the entry to deal with “thrashing” scenarios in which thewireless station oscillates between two or more access points ratherquickly. Because the entry is already there, the access point may justinquire the gateway about the “freshness” of the information instead oftransferring all the session information. This may not seem to besignificant if the session information only contains the session key,but with large session information, this could be potentially faster andsave bandwidth.

There are differences in handling, or transferring, session informationgenerated at the access point versus session information generated atthe gateway.

The session information must be transferred to the gateway, thus thegateway must provide an interface for accepting session information, andthe access point must be enhanced with the capability of transferringsession information to the gateway. This is illustrated in FIG. 3.

When session information is generated at the gateway, the sessioninformation need be transferred to the access point that the wirelessstation is associated with. There are no additional functionalitiesrequired at the access point beyond the basic functions mentionedearlier.

For the scheme to be secure, it must be ensured at any time that theconnection between the gateway and each AP is trusted. This can beensured through either physical security or encryption.

Physical security requires directly attaching the access points to thegateway or through a managed network.

Encryption requires that upon initial installation and configuration,the gateway and access points share a secret, or the gateway shares asecret with each access point. The communication between the gateway andthe access points are encrypted with the secret(s).

For large deployment of this invention and to facilitate faster roaming,multiple gateways can be organized in a hierarchy. Each gateway isresponsible for a number of access points. When the wireless stationroams among the access points belonging to the same gateway, sessiontransfer is controlled by this gateway. Only when the station associateswith the WLAN the first time or when it roams across access pointsbelonging to different gateways, would it be necessary for the gatewayto fetch session information from the gateway in the higher hierarchy.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 illustrates an embodiment of a system of the invention having agateway in the wired network, the wired network comprising accesspoints.

FIG. 2 illustrates a flow chart of a first example of an authenticationand association process among a wireless station, an access point, and agateway according to the invention.

FIG. 3 illustrates a second example of an authentication and associationprocess among a wireless station, an access point, and a gatewayaccording to the invention.

FIG. 4 illustrates a third example of an authentication and associationprocess among a wireless station, an access point, and a gatewayaccording to the invention.

DETAILED DESCRIPTION

Referring first to FIG. 1, an embodiment of a system according to theinvention is illustrated wherein access points 11, 12, and 13 areconnected to a wired network 14. There is no limit to the number ofaccess points in the wired network. A smart gateway 15 is connected tothe wired network 14. Wireless clients, such as laptop computers 16 and17 and personal data assistants 18 and 19 are illustrated ascommunicating with the access points 11, 12, 13. Present generationclients and access points use 802.11 protocols.

Referring next to FIG. 2, a process is illustrated wherein a wirelessstation 16 requests an association with an access point 11 during step20. The access point 11 which relays the session data request to thegateway 15 during step 21. During step 22, the gateway 15 looks up thesession data and if session data is not found during step 23, a sessiondata failure signal is relayed during step 24 to the access point 11,which then generates session data during step 25 and sends the generatedsession data during step 26 to the gateway 15 and also sends anassociation response to the wireless station 16 during step 27.

The session information (including session key and authorizationinformation) can be generated at the access points, as illustrated inFIG. 2, or at the gateway, as illustrated in FIG. 3, wherein thewireless station 16 requests an association with an access point 11during step 20. The access point relays the session data request to thegateway 15 during step 21. The gateway 15 looks up the session dataduring step 22 and if session data is not found during step 23, thegateway generates the session data during step 28, and sends a sessiondata response back to the access point 11 during step 29. The accesspoint 11 loads the session data during step 30, and sends theassociation response back to the wireless station 16 during step 27.

As illustrated in the FIG. 2, FIG. 3, and FIG. 4, the access point firstchecks with the gateway to see if session information already exists forthe wireless station. If session information does not already exist, asillustrated in FIGS. 2 and 3, the wireless station is not authenticatedby the WLAN yet or the previous authentication has expired. The normalauthentication steps are carried out and session information (includingthe session key) is generated for the station and is set in both thecurrently associated access point and the gateway.

If session information already exists, for example, when the wirelessstation roams from one access point to another, the gateway returns itto the access point. The access point sets that information (includingthe session key) in the access point. An example of such a process isillustrated in FIG. 4 wherein the wireless station 16 sends theassociation request to access point 11 during step 20, which relays thesession data request to the gateway 15, which in turn looks up thesession data during step 22 and finds it. The access point sends asession data during step 29 to the access point 11 which then loads thesession data during step 30 and sends an association response to thewireless station 16 during step 27.

This simple procedure ensures that session information travels with thewireless station from one access point to another without the stationhaving to go through authentication all over again.

Thus the invention described herein provides a secure wireless localarea network infrastructure for seamless roaming with smart gateways andsimple access points.

While the invention has been described in detail herein, variousalternatives, modifications, and improvements should become readilyapparent to those skilled in this art without departing from the spiritand scope of the invention.

1. A system for enabling roaming of wireless clients among wirelessaccess points comprising a gateway in a wired network which comprisesaccess points, the gateway having means to (a) receive session datarequests from access points, the session data including a session keyassociated with each wireless client and an associated access point, (b)look up session data, and (c) send session data back to the requestingaccess points, the access points having means to send requests forsession data from the gateway and means to receive session informationsetting commands from the gateway.
 2. The system of claim 1 wherein eachaccess point has means to maintain a session key per associated client.3. The system of claim 1 wherein the gateway has means to remove sessioninformation after a wireless client becomes disassociated with an accesspoint comprising sending a command to the access point to remove thesession information and/or to remove idle wireless client entires aftera predetermined period of inactivity.
 4. The system of claim 1 havingmeans to ensure that a connection between the gateway and an accesspoint is trusted.
 5. The system of claim 4 wherein the means comprisesphysical security or encryption.
 6. A method of enabling roaming ofwireless clients among wireless access points in a network comprisingthe steps of (a) providing a gateway in the network, sending sessiondata requests from access points to the gateway, the session dataincluding a session key associated with each wireless client and anassociated access point, (b) looking up session data stored in thegateway, reporting session data failure if session data is not found,and (c) sending a session data response from the gateway to the accesspoint if session data is found or is generated by the gateway.
 7. Themethod of claim 6 wherein an association request from a wireless stationis received by an access point and, after receiving a session dataresponse from the gateway, the access point loads session data and sendsthe session data to the wireless client.
 8. The method of claim 6wherein an association request from a wireless client is received by anaccess point and, after receiving a session data failure response fromthe gateway, the access point generates session data, reports thegenerated session data to the gateway and sends an association responseto the wireless client.
 9. The method of claim 6 comprising removingsession information from the previously associated access point after awireless client becomes associated with a new access point comprisingthe gateway sending a command to the prevoiusly associated access pointto remove the session information or automatically removing idlewireless client entries after a predetermined period of inactivity. 10.The method of claim 6 wherein the gateway authenticates an access pointto ensure that a connection between the gateway and the access point istrusted.
 11. The method of claim 10 wherein the authentication isencrypted.
 12. A computer readable medium containing instructions that,when executed by a processor in a gateway in a wired network whichcomprises access points, performs the steps of (a) receiving sessiondata requests from access points to the gateway, the session dataincluding a session key associated with each wireless client and anassociated access point, (b) looking up session data stored in thegateway, reporting session data failure if session data is not found,and (c) sending a session data response from the gateway to the accesspoint if session data is found or is generated by the gateway.
 13. Acomputer readable medium comprising instructions that, when executed bya processor in a wireless access point in a network, performs the stepsof receiving an association request from a wireless client and, afterreceiving a session data response from a gateway, loads session data andsends the session data to the wireless station, the session dataincluding a session key associated with each wireless client and anassociated access point.
 14. The computer readable medium of claim 13wherein after receiving a session data failure response from thegateway, performs the steps of generating session data, reporting thegenerated session data to the gateway nad sending an associationresponse to the wireless station.
 15. The computer readable medium ofclaim 13 which performs the steps of removing session information from apreviously associated access point after a wireless client becomesassociated with a new access point, sending a command to the previouslyassociated access point to remove the session information orautomatically removing idle wireless client entries after apredetermined period of inactivity.
 16. The computer readable medium ofclaim 13, which performs the steps of authenticating an access point toensure that a connection between the gateway and the access point istrusted.
 17. The computer readable medium of claim 16 wherein theauthentication is encrypted.